Certificates for Mobile VPN with L2TP Tunnel Authentication

When a Mobile VPN with L2TP tunnel is created, the identity of each endpoint must be verified with a key. This key can be a passphrase or pre-shared key (PSK) known by both endpoints, a third-party or self-signed certificate, or a certificate from the Management Server. Your XTM device must be a managed device to use a certificate from the Management Server for Mobile VPN authentication. You must use WatchGuard System Manager to configure your XTM device as a managed device.

For more information, see WatchGuard System Manager Help.

To use a certificate for Mobile VPN with L2TP authentication:

To use a certificate for a new Mobile VPN with IPSec tunnel:

  1. Select VPN > Mobile VPN with L2TP.
    The Mobile VPN with L2TP page appears.
  2. Click Run Wizard.
    The WatchGuard L2TP Setup Wizard appears.
  3. For instructions to complete the wizard, see Use the WatchGuard L2TP Setup Wizard.
  4. On the Select the tunnel authentication method page, select Use IPSec Firebox Certificate and select an RSA certificate from the list.
  5. Finish the wizard.

To change an existing Mobile VPN tunnel to use certificates for authentication:

  1. Select VPN > Mobile VPN with L2TP.
  2. Click Configure.
  3. Select the IPSec tab.
  4. Select Use IPSec Firebox Certificate and select an RSA certificate from the list.
  5. Click Save.

For more information on Mobile VPN with L2TP, see About Mobile VPN with L2TP.

Verify VPN Certificates with an LDAP Server 

You can use an LDAP server to automatically verify certificates used for VPN authentication if you have access to the server. You must have LDAP account information provided by a third-party CA service to use this feature.

  1. Select VPN > Global Settings.
    The Global VPN Settings page appears.

Screen shot of the Global VPN Settings dialog box

  1. Select the Enable LDAP Server for certificate verification check box.
  2. In the Server text box, type the name or IP address of the LDAP server.
  3. (Optional) Type or select the Port number.
  4. Click OK.
    Your XTM device checks the CRL stored on the LDAP server when tunnel authentication is requested.

See Also

About Certificates

Use the WatchGuard L2TP Setup Wizard

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base